Hinshaw & Culbertson's Insurance Litigation and Regulatory Law Blog provides coverage on insurance industry related case law, regulation and legislation at both the national and state level. We alsoMore...

The six companies have agreed to privacy principles designed to bring the industry in line with California’s Online Privacy Protection Act (“the Act”), most significantly requiring mobile apps that collect personal information to have a privacy policy, and to display it in prominent fashion and in easy to understand language before the app is downloaded.

Two important features of the agreement are that consumers:

will be afforded the opportunity to review the app’s privacy policy before they download the app rather than after, and

will be offered a consistent location for finding the app’s privacy policy.

The six companies will also be tasked with educating the app developers about their privacy obligations and will be providing users tools to report non-compliant apps.

Privacy policies are important consumer protections that allow for transparency into how companies collect and use personal information. Currently, most apps do not have privacy policies.

An important part of the agreement is the recognition that the Act applies to independent app developers as well as operators of commercial website and online services that sell and distribute them.

The Attorney General predicts that this agreement will have international impact as app developers will choose to comply with California law and the agreement because California is an important state (lots of app users here), and it will be administratively easier for the app developers to have one design that works everywhere.

At this point, it is uncertain whether the agreement will have the global impact the Attorney General predicts. That said, we have seen other California privacy laws assume a national impact.

For example, the California Security Breach Notification law was one of the first in the country and, as such, many companies doing business in California had to comply with it not only in California, but, for public relations reasons, everywhere – how could a large national company provide security breach notification letters in California to California residents, but not in Arizona?

In this example, the company would essentially being telling people in Arizona that their protection is less important than persons in California. Therefore, many companies simply decided to provide security breach notification letters everywhere it did business even before many states passed similar security breach notification laws. It is possible the same impact could happen with this new Act.